Encryption performed by the cloud service provider using keys owned and managed by the cloud service provider

Server Side Encryption with Customer Provided Keys (SSE-CPK)

Encryption performed by the cloud service provider using keys owned and managed by the customer

Client Side Encryption

Encryption performed by the customer (in the cloud) using keys owned and managed by the customer

To sum up, there are three models for performing encryption and key management in the cloud: SSE, SSE-CPK and Client Side Encryption. Of the three, I think that only the client side encryption method with keys accessed only when needed from the customer’s on premise key manager earns the title of “Intelligent Key Management for the Cloud” because it gives the customer the most control over their data.

However there is still a problem even with client side encryption. While running, the virtual machine will have the encryption keys in its memory. This memory could be attacked and a determined advisory could retrieve the data encryption key (DEK) used to encrypt the drive. In fact there is a lot more information in memory than just keys. At one point or another, most of the data on the drive will have been processed in memory –Gartner recently discussed this in Key Management as a Service Exposes Different Risks to Data in Public Clouds. This “data in use” could be vulnerable to unauthorized access, insider threats or hypervisors hacks and vulnerabilities. That said, recent CPU flaws – particularly ‘Meltdown’ – have brought attention to the need for protection of memory, especially in cloud environments, to reduce potential exposure to such vulnerabilities.

Ultimately, these concerns lead to trust issues on the customer side. Enterprises today are reluctant to move their most sensitive data into the Cloud because of concerns with:

Confidentiality of data-at-rest

Confidentiality of data-in-use

Exposure to other tenants

Cloud Service Provider admin access

Cloud Infrastructure vulnerabilities

Undisclosed government access

Why is this? Because, the ultimate responsibility for data security remains with the Enterprise.

On the other hand the CSP has a concern with “liability” because they have potential access to customer data in use and at rest. They need to spend time and money on expensive controls to obtain certifications to build trust, but still have potential exposure to customer data in the end.

The solution to both the trust and liability problem is for the cloud service provider (CSP) to not have access to customer data in use or at rest, not even CSP administrators or hypervisors. Encrypting both the storage and memory of a virtual machine is the answer, so long as the customer controls the process – not the CSP.

For encryption of virtual memory, AMD’s Secure Encrypted Virtualization (SEV) technology is available in their EPYC processor <here>.

The VM memory is encrypted in hardware, so not even the hypervisor can see its memory in plain text, and almost the entire memory space is encrypted transparently to the applications, so no application re-engineering is required.

But encrypting data in use (i.e. in memory) is only ½ of the solution. Memory can be paged out or saved to the drive, so the drive needs to be encrypted too. This is where SecureDoc CloudVM FDE (Full Drive Encryption) comes in to encrypt the disk volume, protecting data at rest, while VM memory encryption solves the problem of keys in clear text in memory that I pointed out 2 ½ years ago is solved too.

Better yet, CloudVM makes intelligent policy decisions regarding if and when the VM can boot. It also plays a critical in role in enforcing policy that specifies CloudVM must only run on hardware with encrypted memory, even in a cloud environment. If not, launching the VM will be halted before it even gets the encryption keys to boot:

To view a 3 minute demonstration of WinMagic’s CloudVM for Linux running with encrypted memory on an AMD EPYC processor, please click <here>

Or

Leave a Comment

comments

Tagged Under:

Garry, a CISSP, has more than 30 years of experience in data communications and information security. He has contributed to the development of WinMagic's full-disk encryption solutions for desktops, laptops, and other mobile devices. When he is not saving the world of data encryption, he takes off his cape to relax and enjoy life at the cottage. Garry writes from a position of technical expertise since we first started SecureSpeak, making him the longest running blogger at WinMagic. Garry McCracken

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.